Missing root certificate in the Full chain about pebble HOT 4 CLOSED

Hi @jderusse, thanks for opening an issue.

The root certificate is not intended to be included in the chain. Only the end entity certificate and any of the intermediate certificates required to build a path from the end entity cert to a root already present on the client systems should be in the chain.

Are you not seeing the correct intermediates included?

from pebble.

Hello @cpu, thank for your reply.

The current chain certificate is well formatted with intermediate includes, my point concerns only the Root certificate. (Notice that letsencrypt version 1 provides this root certificate)

This Root certificates is required by AWS when installing certificates on ELB (see https://aws.amazon.com/premiumsupport/knowledge-center/load-balancer-certificate/?nc1=f_ls)

If it's not possible for pebble to include this root certificate in the chain? I guess, that regarding your response, it's not possible :-)

If not, what is the best way to fetch it? Does pebble (and boulder) expose and endpoint?

from pebble.

Hmm, I just tried to upload the chain certificate to AWS (without the root certificate) and it works...

I'm not sure what AWS means by The certificate chain starts with the certificate that was generated by your CA and ends with your CA's root certificate but it look like the root certificate itself is not required.

Closing this issue, thank you @cpu for your support

from pebble.

I think the reason for this behavior was that the intermediate certificate was self-signed (which was fixed in #148). I've created a new issue for the question how to obtain the root certificate.

from pebble.